User-Added-Value-Based Ransomware Detection and Prevention

1. A computer-implemented method for ransomware detection and prevention, comprising: receiving an event stream associated with one or more computer system events; generating user-added-value knowledge data for one or more digital assets by modeling digital asset interactions based on the event stream, including accumulating user-added-values of each of the one or more digital assets, wherein generating the user-added-value knowledge data further includes: detecting one or more events corresponding to one or more interactive user logon sessions based on the event stream; performing an intra-host causal relationship analysis to obtain one or more user session activity graphs by tracking processes associated with at least one user session, and uncovering causal relationships between the tracked processes; and performing an inter-host activity correlation analysis based on interactive operations performed by a user remotely logged onto at least one other host computer system, including tracking user session process activities across multiple hosts; and detecting ransomware behavior based at least in part on the user-added-value knowledge, including analyzing destruction of the user-added values for the one or more digital assets.

2. The method of claim 1 , wherein generating the user-added-value knowledge data further includes removing one or more non-interactive activities from the one or more user session activity graphs.

3. The method of claim 1 , further comprising extracting one or more possible destructive actions from the event stream, wherein analyzing the destruction of the user-added-values for the one or more digital assets further includes combining the one or more possible destruction actions and the user-added-value knowledge data.

4. The method of claim 1 , further comprising generating one or more responses based on the detection of ransomware behavior.

5. A computer program product comprising a non-transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to perform a method for ransomware detection and prevention, the method performed by the computer comprising: receiving an event stream associated with one or more computer system events; generating user-added-value knowledge data for one or more digital assets by modeling digital asset interactions based on the event stream, including accumulating user-added-values of each of the one or more digital assets, wherein generating the user-added-value knowledge data further includes: detecting one or more events corresponding to one or more interactive user logon sessions based on the event stream; performing an intra-host causal relationship analysis to obtain one or more user session activity graphs by tracking processes associated with at least one user session, and uncovering causal relationships between the tracked processes; and performing an inter-host activity correlation analysis based on interactive operations performed by a user remotely logged onto at least one other host computer system, including tracking user session process activities across multiple hosts; and detecting ransomware behavior based at least in part on the user-added-value knowledge, including analyzing destruction of the user-added values for the one or more digital assets.

6. The computer program product of claim 5 , wherein generating the user-added-value knowledge data further includes removing one or more non-interactive activities from the one or more user session activity graphs.

7. The computer program product of claim 5 , wherein the method further includes extracting one or more possible destructive actions from the event stream, wherein analyzing the destruction of the user-added-values for the one or more digital assets further includes combining the one or more possible destruction actions and the user-added-value knowledge data.

8. The computer program product of claim 5 , further comprising generating one or more responses based on the detection of ransomware behavior.

9. A system for ransomware detection and prevention, comprising: a memory device for storing program code; and at least one processor device operatively coupled to a memory device and configured to execute program code stored on the memory device to: receive an event stream associated with one or more computer system events; generate user-added-value knowledge data for one or more digital assets by modeling digital asset interactions based on the event stream by accumulating user-added-values of each of the one or more digital assets, wherein generating the user-added-value knowledge data further includes: detecting one or more events corresponding to one or more interactive user logon sessions based on the event stream; performing an intra-host causal relationship analysis to obtain one or more user session activity graphs by tracking processes associated with at least one user session, and uncovering causal relationships between the tracked processes; and performing an inter-host activity correlation analysis based on interactive operations performed by a user remotely logged onto at least one other host computer system, including tracking user session process activities across multiple hosts; and detect ransomware behavior based at least in part on the user-added-value knowledge by analyzing destruction of the user-added values for the one or more digital assets.

10. The system of claim 9 , wherein the at least one processor is further configured to generate the user-added-value knowledge data by removing one or more non-interactive activities from the one or more user session activity graphs.

11. The system of claim 9 , wherein the at least one processor device is further configured to extract one or more possible destructive actions from the event stream, wherein the at least one processor is further configured to analyze the destruction of the user-added-values for the one or more digital assets by combining the one or more possible destruction actions and the user-added-value knowledge data.

12. The system of claim 9 , wherein the at least one processor device is further configured to generate one or more responses based on the detection of ransomware behavior.